Hi, Il 12/01/2018 10:44, eisenmad ha scritto: > Hello, > > I have some problems, probably very easy ones but I am total new to this > kind of implementation. > > I have to configure an OpenVPN Server on a Raspberry Pi that > authenticates against LDAP. I have a little experience with an OpenVPN > Server that don't use LDAP. I installed openvpn-auth-ldap and edited > auth-ldap.conf. > > <LDAP> > # LDAP server URL > URL ldap://ldap.jumpcloud.com:636 > > # Bind DN (If your LDAP server doesn't support anonymous binds) > # BindDN uid=Manager,ou=People,dc=example,dc=com > > # Bind Password > # Password SecretPassword > > # Network timeout (in seconds) > Timeout 15 > > # Enable Start TLS > TLSEnable yes > > # Follow LDAP Referrals (anonymously) > FollowReferrals yes > > # TLS CA Certificate File > TLSCACertFile /usr/local/etc/ssl/ca.pem > > # TLS CA Certificate Directory > TLSCACertDir /etc/ssl/certs > > # Client Certificate and key > # If TLS client authentication is required > TLSCertFile /usr/local/etc/ssl/client-cert.pem > TLSKeyFile /usr/local/etc/ssl/client-key.pem > > # Cipher Suite > # The defaults are usually fine here > # TLSCipherSuite ALL:!ADH:@STRENGTH > </LDAP> > > <Authorization> > # Base DN > BaseDN "o=BaseDN_I_got_from_the_LDAP_admin,dc=jumpcloud,dc=com" > > # User Search Filter > #SearchFilter "(&(uid=%u)(accountStatus=active))" > SearchFilter "(&(uid=%u))" > > # Require Group Membership > RequireGroup false > > # Add non-group members to a PF table (disabled) > #PFTable ips_vpn_users > > <Group> > BaseDN "ou=Groups,dc=example,dc=com" > SearchFilter "(|(cn=developers)(cn=artists))" > MemberAttribute uniqueMember > # Add group members to a PF table (disabled) > #PFTable ips_vpn_eng > </Group> > </Authorization> > > My OpenVPN server.conf is: > > port 1194 > proto udp > dev tun > sndbuf 0 > rcvbuf 0 > ca ca.crt > cert server.crt > key server.key > dh dh.pem > auth SHA512 > tls-auth ta.key 0 > topology subnet > server 10.8.0.0 255.255.255.0 > ifconfig-pool-persist ipp.txt > push "redirect-gateway def1 bypass-dhcp" > push "dhcp-option DNS 192.168.0.1" > keepalive 10 120 > cipher AES-256-CBC > comp-lzo > user nobody > group nogroup > persist-key > persist-tun > status openvpn-status.log > verb 3 > crl-verify crl.pem > plugin /usr/lib/openvpn/openvpn-auth-ldap.so > /etc/openvpn/auth/auth-ldap.conf login > client-cert-not-required > > I copied my client.ovpn and the ca.crt from the OpenVPN Server to my > Windows 10 machine and installed OpenVPN-Gui. Now a connection to the > vpn server is working and I could login in the network. Now I have the > following questions: > > I could login but I didn't have to pass my LDAP user und password for > login. The jumpcloud admin made a test account for me. How to validate > this? > > And is it normal that you could login without any user and password? All > I did was copying the client.ovpn and ca.crt to the config folder of > OpenVPN-Gui. > > Thanks for help and greetings >
By "login" you mean connect to the VPN? The man-page is a bit ambiguous regarding --client-cert-not-require and its successor, --verify-client-cert. My hunch is that your client.ovpn contains a client certificate and private key, possibly in embedded into the config file. Is this correct? If yes, I think OpenVPN is using/accepting the key/cert instead of actually enforcing LDAP auth. My OpenVPN clients which authenticate against LDAP only have the tls-auth key and the CA certificate in their configs, coupled with the auth-user-pass option. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
